Security threats Toolkit

Second Sasser spreads faster

Tags:
Virus,
,
Spread,
Sasser

Robert Lemos and Dawn Kawamoto CNET News

Published: 04 May 2004 09:00 BST

A newer, better-built version of the Sasser worm has boosted the infectiousness of the original, spreading to more than 10,000 computers over the weekend, antivirus company Symantec said on Monday.

The new worm, Sasser.B, like its predecessor, Sasser.A, takes advantage of a vulnerability in unpatched versions of Windows XP and Windows 2000 systems. The worms infect vulnerable systems by establishing a remote connection to the targeted computer, installing a File Transfer Protocol (FTP) server and then downloading themselves to the new host.

The original version of the Sasser worm spread slowly, but the Sasser.B version released last Saturday is infecting computers much faster.

"The worm has improved significantly," said Alfred Huger, senior director of Symantec's security response centre, who added that Symantec was not yet sure exactly what changes had been incorporated into the new version. At least two other variants of the worm, Sasser.C and Sasser.D, are also spreading around the Internet but differ little from the previous worms, Symantec said.

The University of Massachusetts at Amherst discovered just that, when students connected their already infected computers to the campus networks on Monday. The ensuing outbreak resulted in 1,100 computers compromised with Sasser, said Scott Conti, network operations manager for the university.

"All the machines that have gotten the virus haven't been patched," he said, adding that university security lists have been active, with other network administrators reporting the same. "I think everybody has got it pretty bad."

While many other universities battled with the worm over the weekend, others -- such as UMass -- weren't infected until someone connected to the network with an infected computer.

Sasser is proving to be an ordeal for the university, which has to deal with about 5,000 compromises by worms, viruses and bot software every semester, Conti said.

"It is unfortunate that dealing with these outbreaks now has to be part of our whole business plan," he said.

Delta Air Lines encountered problems in Atlanta with its computers for more than 6 hours, resulting in delays. However, the cause of the problems was still unknown, spokeswoman Catherine Stengel said.

"We won't know until at least tomorrow what caused the issues," she told ZDNet UK sister site CNET News.com.

Airline Air Canada cancelled flights in August due to its network being infected with a variant of the MSBlast worm. The MSBlast.B worm, also called Welchia and Nachi, spread so aggressively that it inundated many companies' networks with data. Air Canada said its network couldn't deal with the amount of traffic generated by MSBlast.B.

This time around, telecommunications provider SBC tried to minimise the problem for its Internet customers. The company warned them by email this weekend about the worm and urged them to patch their systems.

"It is extremely important you [patch your systems] now, because it's likely you will not be able to take these measures, if your computer becomes infected," the company told customers.

The original worm did not spread very quickly last Friday and Saturday, according to security experts. Some Windows XP users asked for help on a support list when, as a side effect of infection, their computers displayed an error message and restarted.

"The number of home users seeking help on cleaning the Sasser worm in the MS Windows XP Technical Support newsgroup is far less than last year, when the MSBlast worm was released," said Yan Kei "Kenrick" Fu, a Hong Kong college student and a frequent adviser on Microsoft's support lists.

By last Monday morning, Symantec was able to confirm -- by scanning for open FTP servers on computers, from which the company's sensor detected potential attacks -- that 10,000 computers had been infected by the Sasser worm.

The Sasser variants can spread rapidly from an infected computer to one that is vulnerable without any user interaction. The worm spreads by scanning different ranges of Internet addresses using a specific application data channel, or port, numbered 445.

Microsoft has analysed the worm and believes that it also spreads through port 139. Both are data channels used by the Windows file-sharing protocol and, in many cases, are blocked by Internet service providers. Once a vulnerable system is found, Sasser installs FTP server software and then transfers itself to the new host.

Symantec's Huger said the amount of data that addresses port 445 makes it difficult to differentiate worm traffic from other, legitimate traffic. Moreover, recent modifications to attack bot software cause other malicious programs to use the same port.

"Port 445 is the busiest port in existence," Huger said.

Symantec raised Sasser.B to a seriousness level of 4 from level 3 on its five-point scale last Sunday afternoon. The security software company had only 200 reports of the original Sasser worm from its customers, but it's gotten more than 5,000 reports of the new version since Saturday.

Huger warned customers that many compromised systems may not be visible to external security surveys and detection, meaning that the actual number of infected systems could be higher. While Symantec and others that monitor Internet security believed that previous worm MSBlast had spread to perhaps 500,000 computers, Microsoft discovered that almost 10 million computers have been infected to date.

Internal networks belonging to companies that didn't patch their systems in time could be teaming with infected systems, Huger said. "The majority of the damage that we are going to see is going to be on the internal network," he said.

Rival antivirus company Panda Software raised Sasser.A and Sasser.B to a red alert status from amber last Sunday.

"This worm could definitely hit as many computers as MSBlast," said Patrick Hinojosa, Panda's US chief technology officer. MSBlast, also known as Blaster, launched last summer and exploited a vulnerability as widespread as the flaw that Sasser uses to infiltrate systems.

Panda has also detected Sasser.C and D variants, which could also be upgraded to red alerts Monday, Hinojosa said. These two variants can look for 1,024 separate IP addresses simultaneously -- as a means to spread itself -- making it more virulent than the original, he added.

The Sasser worm does not carry a destructive payload, but it can result in system degradation, antivirus experts say.

"It can cause machines to reboot when connecting to the Internet. So, if you're a company, your edge servers will be continually rebooting," Hinojosa said.

Although Sasser.B does not feature a back door to allow spammers and others to enter a user's system, Symantec's Huger said he would not be surprised if that feature is added to later versions of Sasser.